Solved

Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block inheritance set?

Posted on 2008-10-15
5
380 Views
Last Modified: 2010-04-21
Is there a way to block a GPO from reaching a particular computer without putting the computer in an OU with block policy inheritance set?  I want to block a software GPO policy on particular computers, but I don't want to move the computer(s) to their own OU.

Thank you!
0
Comment
Question by:cc_mbx
5 Comments
 
LVL 13

Accepted Solution

by:
martin_babarik earned 200 total points
Comment Utility
Hello.

yes it quite simple: put all of those computers to a security group and in Group policy management console select the GPO you want to block, switch to a Delegation tab, add a group here to a list, then select the group, click Advanced and assign them Deny permission for Read and Apply group policy object.
Martin
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 100 total points
Comment Utility
It's important to note that the computers in question will need to be rebooted after they have been added to the security group in question.
0
 
LVL 6

Assisted Solution

by:deiaccord
deiaccord earned 200 total points
Comment Utility
Another alternative is when you link the GPO associate it with a WMI filter.

To create a WMI filter under Group Policy Management you should have a WMI filters section for the domain in question. Create a new filter with settings something like the below

Namespace: root\CIMV2
Query: SELECT * FROM Win32_ComputerSystem WHERE Name <> 'Computer1' OR Name <> 'Computer2'

Attach this to your GPO and computers called Computer1 or Computer2 will not get the GPO applied to them
0
 
LVL 13

Expert Comment

by:martin_babarik
Comment Utility
Thank you Laura for adding this comment, quite important:-)
Martin
0
 

Author Closing Comment

by:cc_mbx
Comment Utility
Thank you!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now